On September 1, 2020, the industry says good-bye to 2-year public SSL/TLS certificates. Going forward Certificate Authorities (CA) can only issue public DV, OV, and EV certificates with a maximum validity of 398 days (approximately 13 months). 

To prepare for this industry change, our partner CAs - DigiCert, GeoTrust, Sectigo and PositiveSSL - will stop issuing 2-year public SSL/TLS certificates on August 27, 2020 5:59 pm MDT (23:59 UTC).

Additionally, the CAs will implement a 397-day maximum validity for all public DV, OV, and EV SSL/TLS certificates. This is a safeguard to account for time zone differences to avoid issuing a public SSL/TLS certificate that exceeds the new 398-day maximum validity requirement.

This industry change does not affect these types of certificates:

• Private SSL/TLS
• Client
• S/MIME
• Code Signing
• EV Code Signing
• Document Signing

To prepare for these changes and make sure you get needed 2-year public SSL/TLS certificates before the August 27 deadline:

• Take inventory of your current certificates and any new certificates you may want with a 2-year validity.
• Order any 2-year certificates that you need before August 13.
• Make sure to respond to any domain and organization validation requests in a timely manner.

For pending public SSL/TLS certificate orders with a validity greater than 397 days:

• The first certificate for the order will be issued with a maximum validity of 397 days.
• The order will keep the validity from the purchase.
  For example, if you ordered a 2-year certificate, the order will be valid for 24 months.
• To use the remaining coverage on the order, you will need to reissue the certificate during the order's final 397 days.
  Each order comes with unlimited certificate reissues at no cost.

This change doesn’t affect your active 2-year certificates issued before August 28, 2020. These certificates will continue to be trusted until they expire.

For example, on August 10, 2020, you purchase a 2-year OV SSL/TLS certificate. We issue the certificate on August 12, 2020. When the certificate nears its expiration date, instead of renewing it with another 2-year SSL/TLS certificate, you’ll need to renew it with a 1-year certificate.

The shortened maximum certificate lifecycle period of 397 days will impact public 2-year SSL/TLS certificates when reissued or duplicated.

The following types of actions require you to reissue a certificate:

• Adding a domain to a certificate
• Removing a domain from a certificate
• Swapping out a domain on a certificate
• Changing organization information (name, address, phone number, etc.)
• Duplicating a certificate
• Replacing your private key /public key pair

After the August 27 deadline, 2-year public SSL/TLS certificates reissues and duplicates will have a maximum validity of 397 days. This means some reissued certificates will expire before the order expires.

To use the remaining validity included with the order, reissue your certificates during the order's final 397-day period. You may request reissues with a validity of up to 397 days or the expiration of the order, whichever is soonest.

If you need to reissue a 2-year public SSL/TLS certificate and have questions about what to expect when the certificate is reissued, please contact your account representative or our Support team before you reissue it.